Posts Tagged ‘patch’

A highly critical vulnerability has been discovered in the Cisco Systems’ WebEx browser extension for Chrome and Firefox, for the second time in this year, which could allow attackers to remotely execute malicious code on a victim’s computer.

Cisco WebEx is a popular communication tool for online events, including meetings, webinars and video conferences that help users connect and collaborate with colleagues around the world. The extension has roughly 20 million active users.Discovered by Tavis Ormandy of Google Project Zero and Cris Neckar of Divergent Security, the remote code execution flaw (CVE-2017-6753) is due to a designing defect in the WebEx browser extension. To exploit the vulnerability, all an attacker need to do is trick victims into visiting a web page containing specially crafted malicious code through the browser with affected extension installed. Successful exploitation of this vulnerability could result in the attacker executing arbitrary code with the privileges of the affected browser and gaining control of the affected system.

“I see several problems with the way sanitization works, and have produced a remote code execution exploit to demonstrate them,” Ormandy said. “This extension has over 20M [million] active Chrome users alone, FireFox and other browsers are likely to be affected as well.”Cisco has already patched the vulnerability and released “Cisco WebEx Extension 1.0.12” update for Chrome and Firefox browsers that address this issue, though “there are no workarounds that address this vulnerability.”

Download Cisco WebEx Extension 1.0.12

In general, users are always recommended to run all software as a non-privileged user in an effort to diminish the effects of a successful attack.

Fortunately, Apple’s Safari, Microsoft’s Internet Explorer and Microsoft’s Edge are not affected by this vulnerability. Cisco WebEx Productivity Tools, Cisco WebEx browser extensions for Mac or Linux, and Cisco WebEx on Microsoft Edge or Internet Explorer are not affected by the vulnerability, the company confirmed.The remote code execution vulnerability in Cisco WebEx extension has been discovered second time in this year.

Developers running the open source Git code-repository software and tools, like GitHub, on Mac OS X and Windows computers are highly being recommended to install a security update that patches a major security vulnerability in Git clients that leverages an attacker to hijack end-user computers.

The critical Git vulnerability affects all versions of the official Git client and all the related software that interacts with Git repositories, including GitHub for Windows and Mac OS X, according to a GitHub advisory published Thursday.

HOW GIT BUG WORKS

The vulnerability allows an attacker to execute remote code on a client’s computer when the client software accesses Git repositories. The GitHub engineering team gave a detailed explanation on how attackers might exploit the vulnerability:

“An attacker can craft a malicious Git tree that will cause Git to overwrite its own .git/config file when cloning or checking out a repository, leading to arbitrary command execution in the client machine,” Thursday’s advisory warned. “Git clients running on OS X (HFS+) or any version of Microsoft Windows (NTFS, FAT) are exploitable through this vulnerability. Linux clients are not affected if they run in a case-sensitive file system.”

Today, Oracle has released its quarterly Critical Patch Update (CPU) for the month of July, as part of its monthly security bulletin, in which it fixes a total of 113 new security vulnerabilities for hundreds of the company’s products.

The security update for Oracle’s popular browser plug-in Java addresses 20 vulnerabilities in the software, all of which are remotely exploitable without authentication, that means an attacker wouldn’t need a username and password to exploit them over a network.

MOST CRITICAL ONE TO PATCH FIRST

Oracle uses the Common Vulnerability Scoring System (CVSS) to provide an open and standardized rating of the security holes it finds in its products. One or more of the Java vulnerabilities received the most “critical” rating according to Oracle’s Common Vulnerability Scoring System (CVSS), i.e. base score of 10 or near.

Although, numerous other Oracle products and software components addressed in the latest security updates, which address around 29 vulnerabilities in Oracle Fusion Middleware out of which 27 enable remote code execution, seven vulnerabilities in Hyperion products and five apiece for Oracle database and E-Business Suite. But, Java was the only impacted with security issues scoring the highest critical rating.

[Webcast Correction] Important correction to the webcast. The MITM attack does not just affect DTLS. It does affect TLS (TCP) as well.

Quick Q&A Summary from the webcast:

– The MITM vulnerablity only affects servers that run OpenSSL 1.0.1 but all clients. Both have to be vulnerable to exploit this problem.

– The MITM vulnerability is not just DTLS (sorry, had that wrong during the webcast)

– Common DTLS applications: Video/Voice over IP, LDAP, SNMPv3, WebRTC

​- Web servers (https) can not use DTLS.

– OpenVPN’s "auth-tls" feature will likely mitigate all these vulnerabilities

– Even if you use "commercial software", it may still use OpenSSL.

———

The OpenSSL team released a critical security update today. The update patches 6 flaws. 1 of the flaws (CVE-2014-0195) may lead to arbitrary code execution. [1]

All versions of OpenSSL are vulnerable to CVE-2014-0195, but this vulnerability only affects DTLS clients or servers (look for SSL VPNs… not so much HTTPS).

I also rated CVE-2014-0224 critical, since it does allow for MiTM attacks, one of the reasons you use SSL. But in order to exploit this issue, both client and server have to be vulnerable, and only openssl 1.0.1 is vulnerable on servers (which is why I stuck with "important" for servers). The discoverer of this vulnerability released details here: http://ccsinjection.lepidum.co.jp/blog/2014-06-05/CCS-Injection-en/index.html .

It appears that the unsupported Windows XP operating system can continue receiving updates from Microsoft with just a few simple changes. This involves altering Windows XP’s Registry to trick Windows Update that it is a copy of Windows Embedded POSReady 2009 (WEPOS), a stripped down version of Windows designed to serve as a point of sales terminal.

And POSReady 2009 appears to be really Windows XP SP3 at its heart, given how updates appear to work, according to reports from various security experts and users. This is notable since unlike Windows XP, which was officially retired on April 8, WEPOS 2009 is due to receive patches until April 9, 2019.

“The system is stable, no crashes, no blue screens,” Jerome Segura, a senior security researcher at Malwarebytes told Computerworld. “I saw no warnings or error messages when I applied patches for .Net and Internet Explorer 8.” Segura further explained that the core of WEPOS 2009 is “pretty much” the same as Windows XP.

Microsoft will release a special update later today (10am PT, 1pm ET, 7pm UTC) fixing the Internet Explorer vulnerability which has been used in targeted attacks recently. The vulnerability was announced late last week and affects Internet Explorer 6 and later on Windows versions back to Windows XP. The patch will be published as MS14-021 in line with the May update which is still expected for Tuesday, May 13th.

We do rate this bulletin as "PATCH NOW!" for clients. Even though many organizations started to move away from Internet Explorer as a primary browser, it may still launch in some cases and unless you are using a non-Microsoft operating system you are likely vulnerable. Even servers should apply this patch, but it is less likely that the vulnerability is exposed on a server. Microsoft downplays the risk of the vulnerability for servers by labeling it as "Moderate" due to the crippled default configuration of Internet Explorer on servers.

The patch pre-announcement does specifically list Widnows XP SP3 as vulnerable, indicating that the patch may cover Windows XP SP 3 even though no more patches were expected for Windows XP.